Payment Card Acceptance
Business Affairs provides credit card and eCheck payment processing services and assists campus merchants with Payment Card Industry rules compliance.
If your department would like accept credit card or echeck payments follow these steps:
- Read the UO Payment Card Acceptance Policy
- Select a Processing Method
- Complete the Payment Card Acceptance Request Form
- Before contracting with a third party for card processing services complete the Third Party Credit Card Processor Authorization Request Form.
- Before connecting a payment card terminal or other card processing device to the university network, provide the model and serial number, MAC address, building name, room number, jack number and IP to Network and Telecom Services.
- Participate in annual security awareness training.
- Establish and maintain merchant operating procedures
- Perform your annual PCI compliance self assessment (see Merchant Requirements)
Selecting a Processing Method
- Online payments using QuikPAY. We highly recommend this method because:
- No transaction fees (just merchant processing fees 2-3%)
- Custom order form created and hosted by BAO at no charge
- Real time online transaction reporting
- Automatic daily Banner deposit
- No merchant account application
- Annual merchant self assessment performed by BAO
- 3rd party service provider other than QuikPAY. You may wish to contract with another payment vendor who provides features and functions not available with QuikPAY. Before executing a contract, your vendor must be approved by Business Affairs and complete the Third Party Credit Card Processor Authorization Request Form.
- Payment Card Terminal. This method is safest for card present over the counter transactions or mail and telephone orders when a cash register is not needed. Terminals can be borrowed or purchased throught the Cashiers office. Wireless, battery powered, cellular connected terminals are available if portability is needed. Terminals connected using analog phone line or private cell network qualify for SAQ B. Terminals connected to Ethernet qualify for SAQ B-IP, must be placed by Information services on a PCI VLAN, and protected by a firewall. They also require quarterly vulnerability scans performed by an approved scan vendor (ASV). This must be requested through BAO.
- Point of Sale Solution. Operations such as food services that require a cash register, often procure a POS solution from a third party service provider. Before executing a contract, your vendor must be approved by Business Affairs and complete the Third Party Credit Card Processor Authorization Request Form. The university's merchant bank offers a tablet based POS solution called Talech. If interested contact Business Affairs to arrange a demonstration.
- Mobile Payment Processing. Phone based card acceptance solutions are popular but risky because they are vulnerable to malware residing on the device. The university's merchant bank offers a solution that converts your phone or tablet into a secure mobile point of sale solution.
University Merchant Requirements
University merchants must:
- Comply with the UO Payment Card Acceptance Policy
- Comply with the university merchant banking service agreement (Elavon/US Bank)
- Never store cardholder data on university computers or on portable devices and media.
- Never accept customer card information by email or on a multi-function printer/copier/fax machine.
- Self-assess and validate compliance with PCI Rules annually by March 31st.
- Ensure all employees involved in card processing participate annually in security awareness training.
- Before contracting with a third party for card processing services complete the Third Party Credit Card Processor Authorization Request Form. Comply with PCI DSS requirement 12.8 by ensuring the required language is included in the contract, maintaining a list of service providers, obtaining a document that identifies which requirements the merchant and service provider are responsible for, and obtaining evidence each year from service providers that they remain compliant.
- Before connecting a payment card terminal or other card processing device to the university network, please provide the merchant ID number, model and serial number, MAC address, building name, room number, jack number and IP to firstname.lastname@example.org. Also ask your local IT support to take these steps to tag the device in Netdot.
- Develop, maintain and implement merchant operating procedures (see below)
- Properly dispose of payment card terminals at the end of their useful life. Call Elavon terminals support 1-800-777-7240 for instructions to wipe the terminals memory, then complete a Property Disposition Request and Campus Ops will properly dispose of it for you.
Merchant Operating Procedures
To comply with PCI rules each campus merchant must maintain and implement their own set of written operating procedures. Here is a template to use that covers 90% of what is required,
Payment Card Terminal Security
Unit security officer, business manager will:
- Become familiar with the PCI Council Skimming Prevention Best Practices.
- Train all personnel who operate a point of sale terminal toinspect the terminal before first transaction of each day
- Report suspicious behavior, such as unexpected repair technicians, bribes, coercion and signs of device tampering or substitution to the university cashier.
- Take pictures of the body of the card swipe terminal, and all cables and connections to compare during inspections.
- When inspecting the terminal look for; damaged or altered seals, missing mfg labels, missing or damaged screws, incorrect keyboard overlays, external wires, damage to the housing, incorrect serial number, anything else out of the ordinary.
- Report all performance issues to the university cashier.
- Ensure wireless terminals are not Wi Fi enabled.
- Physically secure the payment terminal.Place payment terminals in a manner that offers the greatest level of security, observation and monitoring.When not in use lock in office or cabinet. When unattended for brief periods place behind public service counter. Where practical use cable locks to prevent the terminal from being replaced and secure terminal connections in conduit.
- Look out for hidden cameras installed in false ceilings or leaflet and charity boxes next to PIN pads.
Payment Card Terminal Operaters will:
- Use the Payment Terminal Evaluation Forms (or something similar) to physically inspect all payment terminals before the first transaction each business day.
- Take a quick look for broken or discolored surfaces, changed serial number, ripped security labels, altered cables, and any other sign of tampering or swapping.
- Refer to Payment Terminal Skimming Prevention for images depicting tampering
- Contact the university cashier before updating, servicing, or returning a card terminal.
|SAQP2PE||SAQ P2PE merchants do not have access to clear-text cardholder data on any computer system and only enter account data via hardware payment terminals from a PCI SSC-approved P2PE solution.||3,9,12||Instructions|
|SAQA||E-commerce, customer pays online using their own device and all card holder data functions outsourced. Merchant site does not host the payment form or send scripts that help render the payment form or transmit card data. Note: BAO will prepare this SAQ A on behalf of all departments using QuikPAY.||9,12||Instructions|
|SAQA-EP||E-commerce, customer pays online using their own device and all payment processing is outsourced. Merchant website creates the payment form and the payment data is delivered directly to the payment processor (Direct Post). Or merchant website delivers script that runs in customer browser which supports the creation of the payment page, or the transmission of data to payment processor.||1,2,3,4,5,6,7,8,9,10,11,12|
|SAQB||Card swipe terminal connected via analog phone line or cell phone network, with no electronic cardholder data storage.||3,4,7,9,12||Instructions|
|SAQB-IP||Card swipe terminal connected via ethernet/IP, with no electronic cardholder data storage.||1,2,3,4,6,7,8,9,11,12||Template|
|SAQC-VT||Web-based virtual terminal, no electronic cardholder data storage. Typically a PC running a web browser to connect to a payment site hosted by a third party. Card data must be entered using the keyboard, not a magnetic strip reader.||1,2,3,4,5,6,7,9,12||Instructions|
|SAQC||Payment application systems connected to the internet, no electronic cardholder data storage. The payment application must be segmented from other devices on the university network. The physical location of the POS environment is not connected to other premises or locations.||1,2,3,4,5,6,7,8,9,11,12||Instructions|
|SAQD||All other payment processing methods and environments not not eligible for SAQ A thu C above. SAQ
D contains all 12 PCI DSS requirements and all 200 sub requirements.
- Understanding version 3.0 SAQs
- SAQ Instruction guide2.1
- Standard 11.2 Internal and External Scan Requirements (Oregon State Treasurer Guidance)
Need a Merchant ID?
To process customer credit cards a campus merchant must have a bank account for the deposit of settled funds. State law requires that public funds (university funds) be deposited directly into Treasury account. The university Cashier can assist campus merchants with requests for new merchant bank accounts or MIDs.
Separate MIDs are required for separate physical business locations, separate DBA names, and for internet vs. card present transactions.
The following information is needed to request a MID for internet payment processing:
- Department contact name, phone, fax, street address
- Business Name to appear on customer card statement (max 32 characters) example: U of O Public Safety
- Anticipated transaction volume per week
- Average transaction value $
- Description of product or service
- Phone number to appear on customer card statement
- Will you accept Discover Yes or No
- URL of web page containing:
- customer service phone number
- return and refund policy
- delivery method and time frame
- privacy statement (customize sample at https://ba.uoregon.edu/content/electronic-commerce-privacy-statement)
- make payment page (must begin with https://)
- Tech support name, phone, fax
The following information is needed to request a MID for card present transactions (Card swipe machine):
- Contact name, phone number & fax number.
- Street address you would like the terminal/software/materials delivered to (usually University Cashier).
- Mailing address.
- Doing Business As DBA Name to show on customer card statements. Max 24 characters example U of O School of Music
- Estimated start date.
- Sales volume expected: $ monthly, # transactions monthly.
- Percentage of transactions over the counter (card present), Percentage Mail/Telephone orders
- Average transaction dollar amount.
- Do you want pin debit options Yes or No?
- Product or service?
- Delay in shipping product policy (not applicable for services)
- Phone number to appear on customer card statement.
- Do you wish to accept Discover? Yes or No
- Do you wish to accept American Express? Yes or No
On-line Registration/Order Form Required Elements
The following items are required for any university credit card order form:
- Business name including UO affiliation
- Customer service telephone number and email address
- Warning stating the University of Oregon will not process card numbers submitted by email. Please do not send sensitive private data by email.
- Return and refund policy
- Delivery method and time frame (if applicable)
- Link to university privacy statement https://ba.uoregon.edu/content/electronic-commerce-privacy-statement
- Listing of products and prices in US dollars.
- SSL encryption https://
- The domain must be registered to the merchant.
- English translation for foreign language sites
Data Security Incident Response Plan
See the Information Security Office page for information about the university's Information Security program and Incident response procedure.
Security Awareness Training
Employees directly or indirectly (managers) involved in credit card payment acceptance (all methods) must participate in PCI security awareness training annually.
To register search for PCI security awareness in the My Track Learning Library.
There is a shortened version for payment clerks.
- UO Department Payment Card Procedures
- UO Terminal Inspection Log
- Terminal Security Forum May 29 2019
- Payment card terminal inspection log (one terminal)
- Payment card terminal inspection log (multiple terminals)
- UO Ticket Office terminal inspection log
- Payment Terminal Skimming Prevention Best Practices
- Terminal Evaluation Forms
- Incident Report
- Card Swipe & Virtual Merchant Meeting Feb 2012
- Catering card swipe training document
- Fraud detection (VISA)
- Payment Card Terminals (Elavon)
- Account codes for deposit of university credit card proceeds
- 03611 private individual gift, cash donationsnotinvolving an exchange of goods or services
- 06499 Other Event Income
- 06033 Wearing Apparel Sales
- 06035 Tapes CDs Prerecorded Sales
- 06031 Confections Sales
- 06723 Rental Income/Facilities Use
- 06403 Conference Income
- 06420 Concession Income
If the product or service being paid for is primarily intended for international customers paying online rather than in person, and the average payment amount is high, then we recommend using Flywire. Flywire provides the customer the ability to pay using their native currency with favorable wire fees and international exchange rates. Flywire also provides the option of credit card payment with the card processing fees paid for by the customer rather than the university department. To get started with Flywire or discuss international payment options please contact email@example.com